Photographs, signatures, and identification numbers are commonly used to identify and verify the identity of individuals. However, these common identifying means are very easy to counterfeit, and in fact, the vast increase of business and financial transactions carried out over electronic means, such as the Internet and data communication, resulted in greater vulnerability of merchants, and end users to fraud and counterfeit.
Many of the modern ways of doing business enjoy the availability and speed of electronic communications, but do not require the presence of the entities involved at the time and place of transaction. It is therefore very easy for a malicious user to pretend to be someone else, and to carry out transactions in his name, once he gains access to some of his identifying details such as passwords, ID number, credit card numbers, etc. Although using passwords increase the security of such methods of doing business, and security layers (e.g. SSL) which utilize encryption provide more protection against eavesdropping, the main problem of identification and verification still remain.
Generally, the strength of a security system is measured by the number and diversity of the security “factors” that are required. Three such types of security factors are commonly known as “something you know” (e.g. a password); “something you have” (e.g. a magnetic card, smart card); and “something you are” (e.g. biometric measures such as voice.) For example, a password by itself may not provide complete security, because a holder may inadvertently disclose it, or the password can be guessed. Moreover, a magnetic card can be lost or stolen. Security is substantially enhanced when a password is used as one factor, and the authenticated presence of an identification card (e.g., magnetic card) is used as another factor.
The Internet and the World Wide Web (WWW) contain a variety of different sites for e-commerce and online services. In addition to news and information, merchants and consumers alike have come to view the web as a virtually unlimited source for conducting business, in the form of sales of products, services, and information. Nevertheless, many computer users are still somewhat wary of conducting sales transactions over the web especially because credit cards are involved, along with the associated fear of widespread and unchecked dissemination of the credit card numbers. These same users may also be worried about conducting non-Internet related sales transactions using credit cards. After all, anyone can swipe a credit card number and use it later for unauthorized purchases. Assurances from well-meaning web (and non-web) merchants do not alleviate these concerns, because the user has to carry a credit card in his person, which can be easily stolen or lost (and thus found by a thief). Moreover, the custom methods of conducting e-commerce utilized today are unsafe with respect to the relative ease in which sensitive users' information can be burglarized. Since the authentication is usually performed by a server connected to the a computer network and/or the Internet, sensitive user information, such as identification and/or credit card numbers, is vulnerable to hackers attacks and eavesdropping.
What is needed, therefore, is a secure purchasing mechanism that provides users with the peace of mind to make a purchase on the web (or any other form of electronic purchase or other secure information access) without the fear of having his credit card number stolen by someone listening-in at any point in the transaction.
Typically, systems that provide security to such online users do so to the detriment of user convenience. Because the Internet is a mass-medium, the success of online services depends largely on preserving user convenience. Without such convenience, users would become decreasingly tolerant resulting in a loss of business and social opportunities for both web merchants and users.
Traditional microprocessor credit cards, also known as “smart cards” or “chip cards,” provide a good degree of security. But while smart cards that work in conjunction with dedicated smart card readers have become prevalent (i.e., bank cards in Europe), they are ill-suited for deployment as widespread Internet access control devices. Deploying smart card readers to users in their homes, for example, and educating users on their installation and use, is a cumbersome, expensive, and inconvenient process.
The prior art smart card systems were largely developed for a disconnected world; that is, maintaining a constant connection between the smart card and some other entity was considered expensive, inconvenient, and largely unnecessary. Indeed, the telephone charge itself was significant enough in cost to warrant minimizing such connection times.
One of the weaknesses of digital devices is their ease of duplication. Since digital devices embody binary information, a duplicated digital device can produce the same output as the original one. In order to overcome the duplication problem, the operation of the electric card can be made conditional on by the provision of a password, such as the password used in mobile phones. However, this solution is inconvenient, since the user has to type such password. Moreover, a password-protected device should comprise a set of keys, in order to enable to type a password. Passwords also must be remembered by the user, and hence they are inconvenient, and not secure, since a user may write them down instead of remembering them.
Voice verification (speaker verification) methods improve the identification capabilities and provide convenient implementations for the end user. In this method, the voice pattern of the users is utilized to identify him and to allow access only to authorized users. Voice recognition is sometimes utilized in conjunction with voice verification, or even as a stand-alone implementation, to determine if a predefined word or phrase (password) is vocally pronounced by an authorized user.
Usually, in voice verification applications the identity of individuals is verified by comparing their voice pattern, that is obtained when a predefined word or phrase is pronounced (password), with users' voice pattern stored in the authenticating system database. For such verification, a predefined word or phrase should be agreed on, and the voice pattern of the individual, to which the word or phrase is assigned, is processed and stored. In this verification scheme two of the factors that were discussed above are utilized, i.e., “something you know” and “something you are”. However, when attempting to identify an individual, his voice pattern should be compared against the entire database of authorized individuals' patterns, which is a long process, and thus not always acceptable for electronic commerce and financial transactions.
In patent application U.S. Pat. No. 4,961,229, a biometric method for authentication/verification of individuals is disclosed, where the voice patterns of the authorized individuals are utilized for authentication. This method combines all of the security factors that were discussed before; “something you know”, “something you have”, and “something you are”. More particularly, the identity of an individual is authenticated by utilizing an additional identification device (magnetic card for instance) “something you have”, comprising some identifying information of the user (names, identification numbers, etc.), and user's voice pattern. The verification process is initiated by enabling the verification system to access the identification device and interrogate the user's information, and voice pattern, stored on it. Once the details of that person are retrieved by the authenticating system, his voice pattern is compared with the voice pattern stored on his identification device. In this way the identification process is substantially shortened, since the pattern recognition test is performed with only one pattern.
To verify the presence of a particular individual, the voice pattern stored on the smart card is compared to his voice at the time of authentication. This type of security is robust against forgery, but requires dedicated hardware to input and process vocal signals, and the direct access to the information stored on a smart-card, which should be in the possession of each authorized entity, and which should be somehow connected to the authenticating system. Therefore, it is not adequate for authenticating individual users over the Internet or other electronic communication systems, since it requires smart card readers to be at the possession of the end-user (microphone & smart-card reader). In a similar fashion, WO 99/22362 describes a method for the identification of authorized users, by utilizing a mobile device on which users' identifying information, and a biometric voice pattern, are stored.
It should be understood that all the methods described above are performed online. Furthermore, the utilization of card readers, microphones, and other fixed hardware, eventuate in a fixed authentication system. In other words, none of those methods enable efficient realization of a mobile authentication system. As will be appreciated, the efficiency and satisfaction of transactions, such as e-commerce, will be substantially increased if the identity of the user can be verified before he interacts with the system. In this way, the time required for such transaction may be substantially reduced.
An additional limitation of those prior art systems that utilize smart cards and voice verification through software means on a general purpose computer that is subject to tampering, and is not portable to devices not possessing that software. The foregoing problems can be resolved by a voice verification apparatus that is embedded in the smart card itself, which is mobile, and not readily reprogrammable or addressable by interlopers.
Voice recognition is used to recognize vocally pronounced words, in a predefined language, or alternatively, in any language. There are some similarities between voice recognition and voice verification; while in voice verification the voice pattern of an individual is detected, in voice recognition the pattern of specific words is detected. Interactive Voice Response (IVR) utilities enable end-users to select a desired operations/option from a list of possibilities, by vocally pronouncing their selection. However, there is no operating application known in the art, in which a mobile device enables end users to vocal interaction with such systems.
All the methods described above have not yet provided convenient means for the vocal interaction of users with computerized systems, and satisfactory solutions to the problem of efficiently authenticating and verifying identity of individuals over data communication systems and computer networks, such as the Internet.
It is an object of the present invention to provide a method and apparatus for the fast and efficient identification of individuals, based on the identification of voice patterns.
It is another object of the present invention to provide a method and apparatus for enabling end users to vocally interact with user devices, and to carry out instructions received in the form of speech.
It is a further object of the present invention to provide a method and apparatus for carrying out the offline identification of individuals, where the identity of a user is verified before he interacts with, or gain access to, the system.
It is a still another object of the present invention to provide a method and apparatus for the vocal identification of individuals where the identification is performed by a mobile device carried by the user.
It is a yet another object of the present invention to provide a method and apparatus for converting vocal information into textual and/or digital data.
It is a still further object of the present invention to provide a method and apparatus for mobile IVR applications wherein users are presented with voice prompts (menus and/or instructions), and react, vocally, accordingly.
Other objects and advantages of the invention will become apparent as the description proceeds.